In recent days, Sony Group Corporation had confirmed a new data breach in their IT systems, with a server in Japan being the target this time, and Ransomedvc had claimed responsibility for it.

Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected.  There has been no adverse impact on Sony operation

But it’s a story filled with contradictions and lies told by Ransomedvc, all in an attempt to be able to publish the (false) news of the largest data theft from the Japanese multinational.

We have successfully compromissed all of sony system

But the facts demonstrate something entirely different.

At certain points in the chat, we chose to omit some passages that we considered either unimportant to narrate or too sensitive.

Ransomedvc initially claims to have compromised all of Sony’s data, but contradicts themselves a few days later in their initial announcement, stating that they only have a portion of the multinational’s data. This statement comes directly from the cybercriminal, given to us a few days ago during a chat with them on Tox.

SuspectFile: I continue to think that the “Sony case” is very foggy, I think that there are no facts that confirm what you stated. But it’s possible that I’m wrong

Ransomedvc: the blogger mistake didnt write it right
I told him that we have got everything from the servers we got access to
not from all sony
but the breach is real, its not faked

SuspectFile: I am convinced, however, that many data can be traced back to old data breaches. But of course this is my opinion
Which blogger are you referring to?

Ransomedvc: we have a person that is working on the site
he barely understands english it seems
so he made a typo
because we didnt got all sony
as it was stated on our blog

Ransomedvc makes reference to a blogger who supposedly manages the website for publishing data breaches on their behalf. However, even on this statement, we don’t have concrete data. A few days earlier, during one of our interviews, when asked about the blog’s management, Ransomedvc had claimed to be the sole person managing the website.

 I am the one who runs ransomed.vc no one else manages it.

We pressed on this question because it wasn’t the first time that during our conversations, it seemed like Ransomedvc was trying to provide justifications, which were rather unconvincing, when they realized that their answers appeared contradictory.

SuspectFile: Oh ok. But from an answer you gave me, I understood that you would take care of the administration of the blog yourself

Ransomedvc: he has api access that he sends messages from
there are 500 breaches currently
that are in ongoing
[omitted]
so I am not in the time to manage the blog
he cant do anything bad to it
so I am the one who owns it

We had the opportunity to analyze the content of the data extracted from Sony’s server. Within the 2.89GB of files, we found those related to SonarQube, an open-source platform that allows for code quality checks and the execution of automated code reviews and static code analysis to detect potential bugs. Another example of data within the stolen material pertains to a license key generator emulator. However, many of the files we reviewed are old, dating from 2017 to 2021.

We had already described in a previous article what the shortcomings of Ransomedvc were. We had talked about a person who likes to show off, always ready to publicize and often overestimate their own work with details that have often turned out to be fake. The Sony case confirms the negative aspects we had written about Ransomedvc.

During the chat, they continued to explain that they would lack the time for blog management, but despite it all, the financial income in just one month has been very high.

Ransomedvc: its better to let someone manage the boat
than manage the capitans wallet
we made more than a million within a month, its weird I have the feeling something is happening

We asked how they had come into possession of that data, whether it was true that Ransomedvc had targeted Sony, or if it had been the enigmatic MajorNelson, a new user on BreachForums, who claimed responsibility for the attack on Sony’s IT systems.

SuspectFile: Good morning, tell me what is true between your statement of having hit Sony and what MajorNelson says instead

Ransomedvc: the story is long and I wont be sharing it in public
the mistake was ours for letting clowns work for us
about the actual guy behind nelson, he will suffer because the act he did. does not really matter anymore.
The sony breach itself is real
and the company will be striked by our lawyers no matter if we got paid or not since it got this public

SuspectFile: Sorry, but that doesn’t make much sense… I think. So you claim that MajorNelson worked for you? Could he be the clown? What exactly do you mean, without being suggestive, that the guy behind MajorNelson will suffer? In what terms will he have to suffer?

Ransomedvc: the guy worked for me yes. he got some wrong impression we want to harm him and decided to post it
sadly for him, I will make sure we get our revenge for the act of anger he did while not being connected with us
we will not comment the situation any further

We asked for details about the cyberattack on Sony, but we only received evasive answers from him. His behavior led us to believe that he couldn’t provide details simply because he didn’t know them. Once again, his responses are full of lies and contradictions.

SuspectFile: So when would your affiliate attack a part of Sony?

Ransomedvc: they just came one day and said
they got it, I checked and verified

SuspectFile: But when did the intrusion into the servers happen? Through VPN, RDP, phishing
[omitted] Which Sony company was hacked?

Ransomedvc: they have been working for a long time
they had a lot of access points
the date cant be
exact

SuspectFile: These are generic answers, you will have understood why my blog never mentioned this cyber attack [omitted]

Ransomedvc: well sony got leaked because our mistake
the data is answering for itself now
we lost a sum but no matter we going forward

His evasive and illogical responses prompted us to try to understand who MajorNelson from BreachForums really was. So, we went to his profile and saw that as of September 26, he had posted only one message, on the same day he registered on the forum, and hadn’t logged in since.

MajorNelson’s message is a critique of journalists who, in his opinion, believe everything they are told without verifying the news before publishing it. He claims that Ransomedvc are just scammers seeking visibility. Within the message, there is an URL to download the entire archive of data stolen during the Sony data breach.

You journalists believe the ransomware crew for lies. Far too gullible, you should be ashamed. RansomedVCs are scammers who are just trying to scam you and chase influence. Enjoy the leak.

Contents:

A lot of credentials for internal systems

SonarQube
Creators Cloud
Sony’s certificates
A device emulator for generating licenses
qasop security
Incident response policies
and more.

– MAJOR NELSON

https://[EDITED]

We compared the URL for MajorNelson’s archive with the one on Ransomedvc’s blog, as highlighted in the image below. Both archives were hosted on the BreachForums server.

Ransomedvc removed the URL pointing to the BreachForums server from their blog after a few days, replacing it with a link to a .torrent file, but downloading the archive proved to be impossible. After several hours, we were only able to download a few bytes.

We had previously discussed MajorNelson and what he had written in a thread on BreachForums, expressing his opinion of Ransomedvc by calling him a scammer. We sent him a private message within the forum asking for further details on the matter, even though we already knew we would never receive a response, and that was indeed the case.

After a few days, we contacted Ransomedvc again through Tox, posing more questions. This time, we asked for more details about the data breach and more information about MajorNelson. Ransomedvc claims that MajorNelson and IntelBroker are the same person. We don’t have concrete evidence to verify if this claim is true, but if the statements made by Ransomedvc were confirmed, we would be facing yet another attack carried out by one of the most sought-after individuals by the U.S. government. Who is IntelBroker?

SuspectFile: So what could be behind that behaviour, which you consider incorrect and outrageous towards you, which pushed MajorNelson to publish the data which, evidently, he himself had stolen? Furthermore, can you confirm that that data is new and not from old data breaches?

Ransomedvc: I should not confirm the data is old/new. the data can confirm itself.
about major nelson, we will take care
Behind MajorNelson is the individual IntelBroker and his brother (@Search and @Nationalist on breachforums)
currently both of them live in [omitted]
SuspectFile: Okay, so you’ll take care of this personally MajorNelson.
Why the decision not to resell their data to Sony, perhaps the knowledge that they would never pay a ransom?

Ransomedvc: its not worth it to waste our time over one simple breach like sony
here we leaked it for free
now everyone can enjoy
we have breached NTT the same day, the biggest telecom operator in japan. I cannot waste my time with sony. its leaked for free so people enjoy
sony will get the fine they deserve

SuspectFile: Regarding NTT, is it the work of some of your affiliates, for example Stormous or others?

Ransomedvc: its my own work

SuspectFile: Through which intrusion technique? VPN, RDP…

He never responded to this question. Could it be yet another lie?

Regarding the Sony attack, we had inquired with Ransomedvc about the quality of the exfiltrated data and the fact that most of it was old, primarily consisting of old tests. We noticed that the majority of the folders had been modified on September 24, the day following the data breach, as claimed by MajorNelson in his message on BreachForums.

We sought further confirmation that MajorNelson and IntelBroker were the same person. Here’s what he told us:

SuspectFile: Can you tell me who MajorNelson really is? Does he use any other aliases?
Is it correct if I say that MajorNelson is IntelBroker?

Ransomedvc: the truth is I didnt verify the data because well the intel broker is someone who did many jobs for me
and it never came to mind it could be similar shit
its like going to the same supermarket every day and one day the sell u a bad bread

SuspectFile: Ok, so IB and MN are the same person?

Ransomedvc: yes
@Nationalist on bf
@Search on bf
i mean how could I expect something
from IB
a guy that I helped when he had no money to buy food
what can I say, kids are kids until they land on the place they deserve to come to

SuspectFile: Ok, so IB/MN collected Sony “old junk” and made you believe it was collected a few days earlier.

Ransomedvc: yes the access WORKED
I tested it
this is why I said I verify there is something they have
this worked: until it was leaked

So, Ransomedvc confirms that MajorNelson and IntelBroker are the same person, but as we’ve seen, his responses are often shrouded in ambiguity and filled with contradictions. What is certain is that he possesses a vivid imagination, likely driven by a strong need to always be in the spotlight. He is an egocentric individual who has undoubtedly committed cybercrimes, but not to the extent he tried to make others believe. He is a habitual liar, always ready to exaggerate the stories he tells. Due to his flawed personality, he, in turn, risks becoming “trapped” and dominated by himself.

Certainly, within his narratives, there may be real stories, but amid the many falsehoods, discerning the true ones is by no means an easy task. But we can agree with Ransomedvc when he claims that MajorNelson and IntelBroker are the same person.